By Tyler Cowher
Abstract
Deception technology in the cybersecurity and ransomware space has long been regarded as a method of threat actor data collection with strong potential. Some of this technology includes Honeypots, Honeyfiles, and Honeynets - faux systems, files, and networks meant to mimic an organization’s digital resources to further understand new attack vectors and threat actor behavior without putting actual assets in harm's way. Its applications in security research and system hardening can be greatly beneficial when mitigating the ever-growing threat of ransomware. The use of deception technology, however, is often reserved to those who possess the time, money, and expertise to maintain the integrity and utility of these technologies. Critical infrastructure including healthcare, education, energy, and more often miss out on the benefits of deception technology while remaining a primary victim of ransomware. This work will analyze previous deception technology, specifically honey-based technology, use cases and new-age digital advancements to determine potential applications for increased accessibility for critical infrastructure and research advancement.
An Introduction to Honeypots
Honeypots, technology designed to mimic systems to distract and lure bad actors away from valuable digital assets, can provide researchers and security professionals with the ability to investigate threat behavior up close, alert system hosts to intrusions, and isolate malicious software. However, proper implementation of honeypots is vital to their utility. Authorized users of an organization’s system or network should not be able to access honeypots while bad actors should not find it difficult to realize their presence.[1] Furthermore, the deceptive strength of a honeypot relies on its realism to attract threat actors. Honeypot architects need to ensure the phony network is realistically structured and enticing pieces of data – honeyfiles - are strategically placed around the honeypot. These files can be configured to alert a Security Information and Event Management (SIEM) system upon access as they operate under the assumption that access can only be gained through unauthorized means.[2] The level of interaction between honeypots, honeyfiles, and more may also vary between organizations. For instance, high-interaction honey-tech may mimic entire operating systems, allowing bad actors to “interact” with the system as they please. Low-interaction honey-tech, however, may only emulate an operating system without providing any useful functionality.[3] Finding the balance between honey-tech type, interaction level, and data type is crucial when designing an effective deception system.
Ensuring the honeypot not only prevents or redirects an attack but also collects useful data on threat actor behavior is important. Dionaea, a popular open-source honeypot developed by The Honeypot Project, was able to isolate and download malicious payloads injected into a healthcare and medical device network and analyze the software for further research.[4] Conducting such research can equip the security industry with the knowledge and means of defending against threats that are constantly altering and improving their methods. Whether it be a harmful development in ransomware or the formulation of a new threat actor group, honeypots can give insight to the cyber threat landscape and provide up-to-date detection and response information across organizations. Doing so requires expertise in proper security design, funding for development and labor, and strategic implementation, leaving this technology available only to those with sufficient resources.
Applications in Ransomware Defense
Ransomware, a type of malware designed to prevent organizations from accessing valuable data and disrupt operations via encryption, data exfiltration, Distributed Denial of Service (DDoS) attacks, and more, quickly cemented itself as a primary method of attack across the threat landscape within the past decade. This rapid increase in Ransomware use is largely in part due to the COVID-19 pandemic increasing online activity due to remote work and the establishment of Ransomware-as-a-Service (RaaS), a term referring to the sale of prepackaged malicious software on the Darknet, markets. From 2020-2021, the number of ransomware-related incidences reported by organizations rose by more than 78%, reaping an average payout of $1 million per incident.[5] Luckily, honeypots have the potential to mitigate many ransomware distributions. The technology can assist researchers by collecting samples of malicious software for analysis with the goal of preventing the spread of the same ransomware. Identifiable and behavior-based data can be collected via a honeypot as well. Attacker IP addresses, credentials, access attempts, commands executed, time within the system, and more can be gathered for forensic analysis, providing actionable insights into bad actors.[6] Continued deployment of honeypots across commonly compromised systems could greatly benefit the development of security resiliency and aid officials in stopping cyber criminals or collectives. Unfortunately, organizations that are most often targeted lack the financial support and ability to maintain the level of complexity required of honeypots capable of deceiving a bad actor. Scalability between high and low-interaction honeypots based on attacker complexity is possible; however, creating and deploying such a system outweighs any cost benefits associated with its implementation.[7]
Potential for Critical Infrastructure Implementations
As cloud-based infrastructure continues to develop and gain popularity, cost-effective and maintenance-free approaches to deception technology may become more accessible, provided by way of Honeypot-as-a-Service (HaaS) or Virtual Honeypot (ViH) solutions. Ideally, a HaaS provider would supply the maintenance and expertise needed to support an effective honeypot system hosted external to the customer’s network. Data centers would host virtual machines designed to cater to the customer’s unique needs, maintaining the complexity required to draw in bad actors. Real and honeypot IP addresses could even be randomized at regular intervals to ensure integrity and prevent mapping of any kind. An entirely outsourced honeypot system is also considerably less costly than that of an insourced (developed in-house) or even centralized outsourced (managed by an external vendor but integrated in-house) honeypot.[8] These benefits, however, come with potential regulatory, trust, and accountability challenges that may require continued development and research for mitigation. With advancements in technology developing at an exponential rate, deception services will have to improve alongside advanced threats while maintaining cost-effectiveness for critical infrastructure.
Conclusion
Honey-tech can provide organizations with defense and detection-based measures against the constantly evolving threat landscape. As ransomware threats continue to develop in sophistication and frequency, providing accessible deception technology solutions to ill-funded organizations responsible for critical infrastructure in a cost-effective yet resilient and complexity-assured manner is critical. Continued advancements in research are essential to mitigate exponentially evolving threat vulnerabilities and protect vulnerable industries from malicious activity.
Baig, Zubair, Sri Harsha Mekala, and Sherali Zeadally. “Ransomware Attacks of the COVID-19 Pandemic: Novel Strains, Victims, and Threat Actors.” IT Professional, IEEE, 25, no. 5 (2023): 37–44. https://doi.org/10.1109/mitp.2023.3297085.
El-Kosairy, Ahmed, and Marianne A. Azer. “Intrusion and Ransomware Detection System.” 2018 1st International Conference on Computer Applications & Information Security (ICCAIS), 2018, 1–7. https://doi.org/10.1109/cais.2018.8471688.
Fan, Wenjun, Zhihui Du, Max Smith-Creasey, and David Fernández. “HoneyDOC: An Efficient Honeypot Architecture Enabling All-Round Design.” IEEE Journal on Selected Areas in Communications 37, no. 3 (2019): 683–97. https://doi.org/10.1109/jsac.2019.2894307.
India, School of Computer Science & Engineering, Vellore Institute of Technology University, Vellore, Tamil Nadu, Aastha Yadav, Sarthak Raisurana, N Ch Sriman Narayana Iyengar, and Sreenidhi Institute of Science and Technology India Yamnampet, Ghatkesar, Hyderabad,. “Analysis of a Honeypot Intrusion Detection System for Medical and Healthcare Services.” Journal of Innovative Technology Convergence 4, no. 1 (2022): 49–58. https://doi.org/10.69478/jitc2022v4n1a02.
Jafarian, Jafar Haadi, and Amirreza Niakanlahiji. “Delivering Honeypots as a Service.” Proceedings of the 53rd Hawaii International Conference on System Sciences, 2020. https://doi.org/10.24251/hicss.2020.227.
Javadpour, Amir, Forough Ja’fari, Tarik Taleb, Mohammad Shojafar, and Chafika Benzaïd. “A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot Performance.” Computers & Security 140 (2024): 103792. https://doi.org/10.1016/j.cose.2024.103792.
Lanka, Phani, Khushi Gupta, and Cihan Varol. “Intelligent Threat Detection—AI-Driven Analysis of Honeypot Data to Counter Cyber Threats.” Electronics 13, no. 13 (2024): 2465. https://doi.org/10.3390/electronics13132465.
Ransomware.org. “Honeypots and Honeyfiles.” ActualTech Media (blog), n.d. https://ransomware.org/how-to-prevent-ransomware/threat-hunting/honeypots-and-honeyfiles/.
[1] Ransomware.org, “Honeypots and Honeyfiles,” ActualTech Media (blog), n.d., https://ransomware.org/how-to-prevent-ransomware/threat-hunting/honeypots-and-honeyfiles/.
[2] Ahmed El-Kosairy and Marianne A. Azer, “Intrusion and Ransomware Detection System,” 2018 1st International Conference on Computer Applications & Information Security (ICCAIS), 2018, 1–7, https://doi.org/10.1109/cais.2018.8471688.
[3] Wenjun Fan et al., “HoneyDOC: An Efficient Honeypot Architecture Enabling All-Round Design,” IEEE Journal on Selected Areas in Communications 37, no. 3 (2019): 683–97, https://doi.org/10.1109/jsac.2019.2894307.
[4] School of Computer Science & Engineering India Vellore Institute of Technology University, Vellore, Tamil Nadu, et al., “Analysis of a Honeypot Intrusion Detection System for Medical and Healthcare Services,” Journal of Innovative Technology Convergence 4, no. 1 (2022): 49–58, https://doi.org/10.69478/jitc2022v4n1a02.
[5] Zubair Baig, Sri Harsha Mekala, and Sherali Zeadally, “Ransomware Attacks of the COVID-19 Pandemic: Novel Strains, Victims, and Threat Actors,” IT Professional, IEEE, 25, no. 5 (2023): 37–44, https://doi.org/10.1109/mitp.2023.3297085.
[6] Phani Lanka, Khushi Gupta, and Cihan Varol, “Intelligent Threat Detection—AI-Driven Analysis of Honeypot Data to Counter Cyber Threats,” Electronics 13, no. 13 (2024): 2465, https://doi.org/10.3390/electronics13132465.
[7] Amir Javadpour et al., “A Comprehensive Survey on Cyber Deception Techniques to Improve Honeypot Performance,” Computers & Security 140 (2024): 103792, https://doi.org/10.1016/j.cose.2024.103792.
[8] Jafar Haadi Jafarian and Amirreza Niakanlahiji, “Delivering Honeypots as a Service,” Proceedings of the 53rd Hawaii International Conference on System Sciences, 2020, https://doi.org/10.24251/hicss.2020.227.